Stop Managing 5 Tools for Remote Access—Pangolin Does It All
What if your entire remote access stack—VPN, reverse proxy, NAT traversal, SSL certificates, and zero-trust policies—could collapse into a single, elegant platform?
Here's the brutal truth most DevOps engineers won't admit until 2 AM on a Saturday: managing remote access infrastructure is a nightmare of fragmented tools, conflicting configurations, and security gaps wide enough to drive a container ship through. You're running WireGuard for mesh networking, nginx or Traefik for reverse proxying, Let's Encrypt for certificates, some janky script for NAT traversal, and praying your identity provider plays nice with everything. It's exhausting. It's expensive. And it's absolutely unnecessary.
Enter Pangolin—the open-source, identity-aware remote access platform that's making senior engineers quietly replace their entire remote access stack. Built on the battle-tested WireGuard® protocol, Pangolin fuses reverse proxy and VPN capabilities into one cohesive system. No more duct-taping five tools together. No more praying your SSH tunnel holds through a corporate firewall. No more exposing entire networks just to give a contractor access to one database.
This isn't another "me-too" VPN tool. Pangolin represents a fundamental architectural shift: identity-based, granular access control married to intelligent NAT traversal and browser-based application delivery. Whether you're a solo developer self-hosting homelab services or an enterprise architect designing zero-trust infrastructure, Pangolin demands your attention. The project is gaining serious traction on GitHub, with a growing community on Discord and Slack, and commercial backing that ensures long-term viability.
Ready to understand why engineers are quietly migrating? Let's dissect what makes Pangolin genuinely different.
What is Pangolin? The Remote Access Platform That Changes Everything
Pangolin is an open-source, identity-based remote access platform built on WireGuard® that fundamentally reimagines how organizations connect users to resources. Created by Fossorial, Inc. and licensed under the AGPL-3 (with commercial licensing available), Pangolin occupies a unique position in the infrastructure tooling landscape: it's simultaneously a VPN solution, a reverse proxy, a zero-trust access control system, and a NAT traversal engine.
The project's name evokes its core capability—like the armored mammal that protects itself while navigating complex terrain, Pangolin creates secure tunnels through hostile network environments. The repository lives at github.com/fosrl/pangolin, where it's accumulating stars and contributions from engineers tired of traditional remote access limitations.
Why Pangolin is trending now:
The remote work revolution permanently shattered the perimeter security model. Organizations now face a paradox: users need seamless access to distributed resources, but every exposed port and broad network access creates attack surface. Traditional VPNs solve connectivity by exposing entire networks. Traditional reverse proxies solve application access but leave non-HTTP resources unaddressed. Pangolin's genius is recognizing these aren't separate problems—they're manifestations of the same challenge: how do you provide precise, identity-verified access to specific resources without network exposure?
The market response has been explosive. With available deployment options ranging from fully-managed Pangolin Cloud to self-hosted Community Edition and Enterprise Edition (free for businesses under $100K gross annual revenue), Pangolin meets organizations exactly where they are in their infrastructure maturity. The DigitalOcean Marketplace one-click installer removes friction for teams wanting immediate results.
Key Features: The Technical Depth That Matters
Site Connectors with Intelligent NAT Traversal
Pangolin's site connectors function as secure gateways into arbitrary networks. Deployed as lightweight binaries or containers on any platform, these connectors establish outbound tunnels—a critical architectural decision that eliminates inbound firewall rules. The intelligent NAT traversal handles symmetric NATs, carrier-grade NAT, and restrictive corporate firewalls that would cripple traditional VPN solutions.
Technical significance: Outbound-only tunnels mean your network never listens on external ports. The connector initiates all connections, traversing NAT boundaries through sophisticated hole-punching techniques. This enables access to resources behind networks with no public IP address whatsoever—a scenario impossible with conventional reverse proxies.
Identity and Context-Aware Tunneled Reverse Proxy
For web applications, Pangolin operates as a tunneled reverse proxy with deep identity integration. Users authenticate through browsers—no client installation required—and access flows through encrypted tunnels with automatic SSL certificate provisioning. But unlike standard reverse proxies, Pangolin enforces granular, per-resource access policies based on user identity and contextual factors.
Built-in capabilities include:
- Automatic routing and load balancing across multiple upstream instances
- Health checking with intelligent failover
- Automatic SSL certificates via Let's Encrypt integration
- Zero direct network exposure—your applications remain completely invisible to the public internet
Client-Based Private Resource Access
Not everything speaks HTTP. For SSH servers, databases, RDP sessions, and entire network ranges, Pangolin provides native clients across all major platforms: macOS, Windows, Linux, iOS, and Android. These clients leverage the same WireGuard foundation with DNS aliases for human-friendly resource naming and multi-connector redundancy for production-critical paths.
Granular RBAC with Zero-Trust Architecture
This is where Pangolin diverges radically from traditional VPNs. Instead of connecting users to networks, Pangolin connects identities to specific resources. The built-in user management supports external identity provider integration (SAML/OIDC), enabling role-based access control (RBAC) that grants precise permissions. A contractor gets access to exactly one staging database—not your entire VPC. A support engineer reaches only the specified log aggregation service—not production servers.
Use Cases: Where Pangolin Absolutely Dominates
1. Multi-Cloud and Hybrid Infrastructure Access
Modern infrastructure sprawls across AWS, GCP, Azure, and on-premise data centers. Traditional approaches require separate VPN concentrators per environment or dangerous peering configurations. Pangolin's site connectors deploy anywhere—cloud VM, Kubernetes cluster, Raspberry Pi in a closet—and unify access through a single control plane. One identity, one client, every resource.
2. Secure Third-Party and Contractor Access
The nightmare scenario: granting a vendor VPN access and discovering they can reach your entire production network. Pangolin's zero-trust model eliminates this risk entirely. Create a role with access to exactly the Jira instance, specific API endpoint, or designated SSH bastion they need. When the contract ends, revoke one role—not reconfigure network ACLs across three environments.
3. Homelab and Self-Hosted Service Exposure
Self-hosters face a cruel choice: expose ports directly (dangerous), pay for VPS tunneling (expensive), or struggle with dynamic DNS and manual certificate management (tedious). Pangolin's outbound connectors and automatic SSL solve this elegantly. Host Plex, Nextcloud, or that custom app on your home server with no open ports, no DDNS, no certificate headaches.
4. Development and Staging Environment Access
Developers need rapid access to databases, message queues, and internal APIs across multiple environments. Pangolin's DNS aliases provide memorable names (prod-db.internal, staging-redis.dev), while granular controls ensure developers automatically get appropriate environment access based on their team membership. Onboard a new engineer in minutes, not days.
5. IoT and Edge Device Management
Deploy site connectors on edge hardware to create persistent, manageable tunnels for remote diagnostics and updates. The lightweight binary runs on constrained devices, and the identity layer ensures only authorized maintenance accounts can reach critical infrastructure.
Step-by-Step Installation & Setup Guide
Pangolin offers multiple deployment paths depending on your requirements and infrastructure sophistication.
Option 1: Pangolin Cloud (Fastest Path)
For immediate access without infrastructure management:
# No installation required—simply create your account
curl -s https://app.pangolin.net/auth/signup | open
Navigate to app.pangolin.net, create your free account, and begin configuring resources through the web interface. The managed service handles all infrastructure concerns.
Option 2: DigitalOcean One-Click Install (Recommended for Self-Hosting)
For pre-configured self-hosted deployment:
# Deploy via DigitalOcean Marketplace
# Visit: https://marketplace.digitalocean.com/apps/pangolin-ce-1?refcode=edf0480eeb81
# Complete server provisioning through DO interface
# Pangolin CE comes pre-installed and pre-configured
This provides a production-ready instance with minimal manual configuration.
Option 3: Docker Self-Hosting (Maximum Control)
For teams wanting complete control over their deployment:
# Pull the official Pangolin container image
docker pull fosrl/pangolin:latest
# Verify image authenticity and inspect available tags
docker inspect fosrl/pangolin:latest | grep -E 'RepoTags|Version'
# Run with essential environment configuration
# (Consult docs.pangolin.net for complete configuration reference)
docker run -d \
--name pangolin \
--restart unless-stopped \
-p 443:443 \
-p 51820:51820/udp \
-v pangolin-data:/data \
-e PANGOLIN_DOMAIN=your-domain.com \
fosrl/pangolin:latest
Critical configuration steps for self-hosted deployments:
- DNS Configuration: Point your domain's A/AAAA records to your Pangolin host
- Firewall Rules: Allow UDP 51820 (WireGuard) and TCP 443 (HTTPS reverse proxy)
- SSL Certificates: Automatic via Let's Encrypt—ensure port 80 is available for ACME challenges if not using DNS validation
- Identity Provider Integration: Configure OIDC/SAML in
config.ymlfor enterprise SSO
Client Installation
After server deployment, install the appropriate client for your platform:
# macOS
curl -L https://pangolin.net/downloads/mac -o pangolin-client.dmg
# Linux (generic binary)
wget https://pangolin.net/downloads/linux -O pangolin-client
chmod +x pangolin-client
sudo mv pangolin-client /usr/local/bin/
# Verify installation
pangolin-client --version
Windows and mobile clients are available through their respective app stores and download pages.
REAL Code Examples: Pangolin in Action
While Pangolin's primary interface is declarative configuration and web UI, understanding the underlying patterns requires examining actual implementation approaches from the project documentation and deployment practices.
Example 1: Docker Compose Deployment for Production
The following represents a production-ready Docker Compose configuration for self-hosted Pangolin, incorporating essential services and persistent storage:
# docker-compose.yml - Production Pangolin deployment
version: '3.8'
services:
pangolin:
image: fosrl/pangolin:latest
container_name: pangolin
restart: unless-stopped
# Critical: WireGuard requires NET_ADMIN for network interface manipulation
cap_add:
- NET_ADMIN
- SYS_MODULE
# Kernel module loading for WireGuard (host may need wg module)
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv4.ip_forward=1
ports:
# HTTPS reverse proxy and web UI
- "443:443"
# WireGuard UDP port—must match server configuration
- "51820:51820/udp"
volumes:
# Persistent storage for certificates, keys, and database
- pangolin-data:/data
# Mount host modules for WireGuard kernel support
- /lib/modules:/lib/modules:ro
environment:
# Your configured domain—must resolve to this host
- PANGOLIN_DOMAIN=access.example.com
# Enable debug logging during initial setup
- LOG_LEVEL=info
networks:
- pangolin-net
volumes:
pangolin-data:
driver: local
networks:
pangolin-net:
driver: bridge
Explanation: This configuration demonstrates Pangolin's container requirements. The NET_ADMIN capability is non-negotiable—WireGuard interface creation requires network administration privileges. The sysctl settings enable IP forwarding, essential for routing traffic between connected clients and protected resources. The UDP port exposure (51820) is the WireGuard listen port; your client configurations must target this. Persistent volume storage prevents certificate and identity data loss on container restart.
Example 2: Site Connector Deployment Script
For deploying site connectors on remote networks (the agents that enable NAT traversal), a typical systemd-managed installation:
#!/bin/bash
# install-connector.sh - Deploy Pangolin site connector on edge node
# Run on any Linux host needing inbound connectivity without public IP
set -euo pipefail
CONNECTOR_VERSION="latest"
INSTALL_DIR="/opt/pangolin-connector"
CONFIG_DIR="/etc/pangolin"
# Create dedicated user for security isolation
sudo useradd -r -s /bin/false pangolin || true
# Download platform-appropriate binary
# Architecture detection for ARM64 (edge devices) vs AMD64 (servers)
ARCH=$(uname -m)
case $ARCH in
x86_64) BINARY_ARCH="amd64" ;;
aarch64) BINARY_ARCH="arm64" ;;
*) echo "Unsupported architecture: $ARCH"; exit 1 ;;
esac
echo "Downloading Pangolin connector for ${BINARY_ARCH}..."
sudo mkdir -p "${INSTALL_DIR}"
sudo curl -L \
"https://github.com/fosrl/pangolin/releases/download/${CONNECTOR_VERSION}/pangolin-connector-linux-${BINARY_ARCH}" \
-o "${INSTALL_DIR}/pangolin-connector"
sudo chmod +x "${INSTALL_DIR}/pangolin-connector"
# Configuration from Pangolin control plane
# Obtain this token from: app.pangolin.net > Sites > New Site > Connector Token
sudo mkdir -p "${CONFIG_DIR}"
sudo tee "${CONFIG_DIR}/connector.yml" > /dev/null <<EOF
# Site connector configuration
server_url: wss://access.example.com/connector
site_token: "${PANGOLIN_SITE_TOKEN:?Set PANGOLIN_SITE_TOKEN environment variable}"
# Local network routes this connector exposes
# Only specify what should be reachable—principle of least privilege
local_routes:
- 192.168.1.0/24 # Internal LAN
- 10.0.0.5/32 # Specific database host
# Connection resilience
heartbeat_interval: 30s
reconnect_backoff: 5s
EOF
sudo chown -R pangolin:pangolin "${INSTALL_DIR}" "${CONFIG_DIR}"
# Systemd service for automatic startup and monitoring
sudo tee /etc/systemd/system/pangolin-connector.service > /dev/null <<'EOF'
[Unit]
Description=Pangolin Site Connector
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=pangolin
Group=pangolin
ExecStart=/opt/pangolin-connector/pangolin-connector -config /etc/pangolin/connector.yml
Restart=always
RestartSec=5
# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log/pangolin
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now pangolin-connector
# Verify connectivity
echo "Checking connector status..."
sudo systemctl status pangolin-connector --no-pager
Explanation: This script embodies Pangolin's distributed architecture. The site connector is the magic that enables NAT traversal—it runs inside protected networks and establishes outbound WebSocket connections to your Pangolin server. No inbound firewall rules required. The local_routes configuration demonstrates granular exposure—you explicitly declare what becomes reachable, maintaining zero-trust principles even within "trusted" networks. The systemd hardening shows production security practices.
Example 3: Resource and Access Policy Configuration
While Pangolin's primary configuration is UI-driven, understanding the policy model requires examining how resources and access rules structure:
# Conceptual resource configuration illustrating Pangolin's access model
# Configured through web UI or API; shown here for architectural understanding
resources:
# Web application: accessible via browser, no client needed
- name: grafana-monitoring
type: http
upstream: http://10.0.0.10:3000
public_address: grafana.access.example.com
access_policy:
# Authentication required: yes
authentication: required
# Identity provider group membership
allowed_roles: ["platform-engineers", "sre-oncall"]
# Context-aware restrictions
conditions:
- mfa_required: true
- time_restriction:
timezone: America/New_York
allowed_hours: { start: "08:00", end: "22:00" }
security:
# Automatic TLS via Let's Encrypt
tls: automatic
# Request filtering
rate_limit: 100/minute
# Header injection for upstream identification
headers:
X-Forwarded-User: "{{user.email}}"
X-Pangolin-Source: "{{client.ip}}"
# Private resource: requires Pangolin client, any protocol
- name: production-postgres
type: tcp
upstream: 10.0.0.20:5432
# No public address—only reachable through client tunnel
dns_alias: prod-db.internal
access_policy:
# Narrowest possible access
allowed_users: ["dba-lead@example.com"]
# Audit all connections
session_recording: required
# Automatic access expiration
temporary_grant:
duration: 4h
requires_approval: true
# Multi-site redundancy for critical infrastructure
site_connectors:
primary: site-aws-us-east-1
fallback: site-aws-us-west-2
Explanation: This configuration reveals Pangolin's architectural sophistication. HTTP resources get browser-based access with full reverse proxy capabilities—TLS termination, header manipulation, rate limiting. TCP resources require the Pangolin client but gain protocol-agnostic access—PostgreSQL, SSH, Redis, anything. The access_policy demonstrates true zero-trust: MFA requirements, time-based restrictions, just-in-time access with approval workflows, and session recording. The dns_alias provides memorable names that resolve through the client tunnel, eliminating IP memorization. Multi-site redundancy ensures critical resources remain accessible even during regional failures.
Advanced Usage & Best Practices
High-Availability Architectures
For production deployments, run multiple Pangolin server instances behind a load balancer with shared storage for certificates and state. Site connectors support multiple upstream servers—configure fallback servers for automatic failover during maintenance.
Certificate Management at Scale
Pangolin's automatic Let's Encrypt integration works brilliantly until you hit rate limits. For large deployments, implement DNS-01 challenges (supporting wildcard certificates) and consider integrating with internal PKI for private resources that don't need public trust.
Identity Provider Integration Patterns
Don't use local users for production. Integrate your existing IdP (Okta, Azure AD, Google Workspace) via OIDC. Map IdP groups to Pangolin roles for automatic access provisioning. Implement SCIM if available for real-time user lifecycle management.
Monitoring and Observability
Export Pangolin metrics to your Prometheus/Grafana stack. Monitor connector health, tunnel throughput, authentication failures, and certificate expiration. Set alerts for connector disconnections—these often indicate network issues or security events.
Security Hardening
- Run site connectors with minimal privileges (the dedicated user approach shown above)
- Enable session recording for privileged access
- Implement automatic access reviews—Pangolin's granular model makes this feasible
- Regularly audit resource policies for scope creep
Comparison with Alternatives: Why Pangolin Wins
| Capability | Pangolin | Traditional VPN (OpenVPN/WireGuard) | Reverse Proxy (nginx/Traefik) | Zero-Trust (Tailscale/Cloudflare Tunnel) |
|---|---|---|---|---|
| Browser-based app access | ✅ Native, with auth | ❌ Requires client always | ✅ Yes, but no built-in identity | ✅ Limited |
| Non-HTTP protocol support | ✅ Full VPN client | ✅ Yes | ❌ No | ✅ Yes |
| Granular resource access | ✅ Per-resource RBAC | ❌ Network-level only | ❌ Host-level at best | ✅ Yes |
| NAT traversal without public IP | ✅ Outbound connectors | ❌ Requires inbound port | ❌ Requires inbound port | ✅ Yes |
| Self-hosting without vendor lock-in | ✅ Open source AGPL | ✅ Yes | ✅ Yes | ❌ Proprietary control plane |
| Automatic SSL certificates | ✅ Built-in | ❌ Manual/Let's Encrypt separately | ✅ Often built-in | ✅ Yes |
| Identity provider integration | ✅ Native OIDC/SAML | ❌ Usually separate RADIUS/LDAP | ❌ Requires external auth | ✅ Yes |
| Unified management plane | ✅ Single UI/API | ❌ Multiple tools | ❌ Multiple tools | ✅ Yes |
The decisive advantage: Pangolin uniquely combines all capabilities without forcing architectural compromises. Traditional VPNs expose networks. Pure reverse proxies ignore non-HTTP traffic. Existing zero-trust solutions often trap you in proprietary ecosystems. Pangolin delivers comprehensive functionality with genuine open-source freedom.
FAQ: Critical Questions Engineers Actually Ask
Is Pangolin truly free for self-hosting?
Yes. The Community Edition is fully open-source under AGPL-3 with no artificial limitations. The Enterprise Edition adds commercial support and features for larger organizations, but remains free for businesses under $100K gross annual revenue.
How does Pangolin compare to raw WireGuard?
Pangolin uses WireGuard for its cryptographic and transport foundation but adds identity management, NAT traversal intelligence, reverse proxy capabilities, and granular access control that raw WireGuard lacks entirely.
Can I migrate from Tailscale or Cloudflare Tunnel?
Absolutely. Pangolin's site connectors directly replace tunnel-based connectivity, with the added benefit of self-hosted control plane and no per-user pricing. Migration involves deploying Pangolin connectors alongside existing solutions, validating access, then decommissioning.
Does Pangolin work with Kubernetes?
Yes. Deploy site connectors as DaemonSets or sidecars for cluster-internal resource exposure. The container-native architecture integrates cleanly with existing Kubernetes networking and security patterns.
What about performance overhead?
WireGuard's kernel-optimized cryptography minimizes latency impact. Pangolin's userspace components add negligible overhead for most workloads. Benchmark your specific use case, but expect performance competitive with direct WireGuard connections.
How is access logging handled?
Comprehensive audit logging tracks authentication events, authorization decisions, connection establishment, and data transfer volumes. Export to SIEM platforms via standard logging pipelines.
Can I use Pangolin for customer-facing applications?
While architecturally capable, Pangolin optimizes for internal and B2B access scenarios. For high-scale public applications, dedicated CDN and WAF solutions may be more appropriate, though Pangolin excels for authenticated partner portals.
Conclusion: The Remote Access Stack You Actually Need
After dissecting Pangolin's architecture, examining real deployment patterns, and comparing against established alternatives, the conclusion is unmistakable: Pangolin represents the future of remote access infrastructure.
The industry has tolerated fragmented, insecure remote access for too long. We've accepted VPNs that expose entire networks. We've endured reverse proxies that can't handle a database connection. We've paid premium prices for zero-trust solutions that hold our configuration hostage. Pangolin rejects all these compromises.
What impresses most is the architectural coherence. Every feature—site connectors, tunneled reverse proxy, identity-aware policies, multi-platform clients—serves the unified vision of precise, verifiable, manageable access to distributed resources. The open-source foundation under AGPL-3, with sustainable commercial backing, provides confidence in long-term viability.
For individual developers, the free tier and straightforward self-hosting democratize capabilities previously reserved for enterprise budgets. For platform teams, the unified control plane eliminates operational toil across multiple tools. For security-conscious organizations, the zero-trust model finally becomes implementable without vendor lock-in.
Your next step is simple: Experience Pangolin directly. Create a free account at app.pangolin.net for immediate managed service access, or visit github.com/fosrl/pangolin to explore the source, read comprehensive documentation at docs.pangolin.net, and join the active community on Discord. The README provides orientation, but the documentation contains everything for production deployment.
Stop duct-taping remote access together. Pangolin is the platform you've been waiting for.
